CVE-2026-40188
Received Received - Intake
Path Traversal in goshs SFTP Rename Allows Directory Escape

Publication date: 2026-04-10

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40188
EUVD
EUVD-2026-21589
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
goshs goshs 2.0.0
goshs goshs 2.0.0
goshs goshs 2.0.0
goshs goshs From 1.0.7 (inc) to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1314 The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40188 is a high-severity vulnerability in the goshs SFTP server, a SimpleHTTPServer written in Go. The issue occurs because the SFTP rename command sanitizes only the source file path but fails to sanitize the destination path. This means an attacker can rename a file to a location outside the intended SFTP root directory.

Specifically, the source path is properly sanitized, but the destination path is used directly without validation, allowing unauthorized file writes anywhere on the filesystem accessible by the server process.

This flaw enables an attacker with low privileges and no user interaction to write files arbitrarily outside the root directory, potentially leading to system compromise.

Impact Analysis

This vulnerability allows remote attackers with low privileges to write files outside the designated SFTP root directory without user interaction.

By exploiting this, an attacker could overwrite critical system files such as SSH keys or configuration files, potentially leading to remote code execution (RCE) and full system compromise.

The impact is significant because it changes the security scope, allowing unauthorized modification of system integrity.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized file rename operations that write files outside the intended SFTP root directory. Specifically, look for SFTP rename commands where the destination path is outside the root directory, which indicates exploitation attempts.

Since the vulnerability involves the SFTP rename command improperly sanitizing the destination path, you can detect it by checking SFTP server logs for rename requests with destination paths that are absolute or traverse outside the root.

Additionally, after applying the patch, the server logs and webhook notifications will report blocked rename requests with invalid target paths, which can be used to detect exploitation attempts.

  • Check SFTP server logs for rename commands with destination paths outside the root directory.
  • Monitor for webhook notifications or logs indicating blocked SFTP rename requests due to failed path sanitization (if patched).
  • Use commands like `grep 'rename' /path/to/goshs/logfile` to find suspicious rename operations.
  • Use network monitoring tools to capture SFTP traffic and analyze rename commands for suspicious destination paths.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade the goshs SFTP server to version 2.0.0-beta.4 or later, where the vulnerability is fixed by sanitizing the destination path in the rename command.

If upgrading immediately is not possible, monitor and block rename requests with destination paths outside the root directory by implementing custom logging or firewall rules to detect and prevent exploitation attempts.

Ensure that the SFTP server listens on the correct dedicated SFTP port (`opts.SFTPPort`) as fixed in the patch to avoid unintended exposure.

  • Upgrade goshs to version 2.0.0-beta.4 or later.
  • Apply patches that sanitize the rename destination path and block invalid requests.
  • Monitor logs and webhook notifications for blocked rename requests.
  • Restrict network access to the SFTP server to trusted users only.
Compliance Impact

The vulnerability in goshs allows unauthorized file writes outside the intended SFTP root directory, potentially enabling remote code execution by overwriting critical files. This unauthorized access and modification of files could lead to violations of data integrity and security requirements mandated by common standards and regulations such as GDPR and HIPAA.

Specifically, the ability for an attacker with low privileges to write files arbitrarily on the filesystem may result in exposure or tampering of sensitive data, which conflicts with the principles of data protection, confidentiality, and integrity required by these regulations.

Therefore, if goshs is used in environments subject to such compliance standards, this vulnerability could cause non-compliance due to insufficient access controls and lack of proper sanitization, risking unauthorized data manipulation or disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart